Upload
others
View
27
Download
0
Embed Size (px)
Citation preview
LOCAL SECURITY AND PERMISSIONS
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
Outline
Generic Terminology
NTFS Permissions
Registry Permissions
LDAP Permissions
File Sharing
Disk Quotas
Windows Management Instrumentation
Other Permission Settings
Windows Firewall
Service Accounts and Impersonation
Physical Security
BitLocker
Dynamic Access Control
GENERIC TERMINOLOGY
Advanced Windows Security
Security Descriptor
Objects are protected with permissions files, folders, registry keys, LDAP objects, printers,
windows, desktops, ...
ACE – Access Control Entry one item in the permissions list Deny, Allow
ACL – Access Control List permission list
SACL – System Access Control List auditing ACL
Owner
Object Owner
Members of Administrators group
owner is Administrators group instead of the user
Can always change permissions
even if explicitly denied
Take Ownership
user right that allows taking ownership
CREATOR OWNER identity
used as a placeholder to express the current owner of the file
ACL Processing vs. ACE Order
ACEs are ordered
Note: it is contrary to a common statement that Deny ACEs are always stronger
the correct order must be maintained by applications when they modify ACL
ACEs are evaluated in the order present
like with firewall rules
Lab: Investigate Incorrect ACE Order Log on to GPS-WKS as Kamil Start REGEDIT Right-click on
SYSTEM/CurrentControlSet/Services/{anyGUID}/Parametes/Tcpip and select Permissions
Note the text: The permissions on the object are incorrectly ordered,
which may cause some entries to be ineffective
Click Cancel to see the incorrect order, click Advanced note that the Full Control permissions are lower than
expected
Auditing
Object Access auditing category
general switch to turn auditing on/off
ACEs in SACL of objects
be carefull to audit only preciselly required ACEs
applications generate extreme number of access attempts
NTFS PERMISSIONS
Advanced Windows Security
NTFS Permissions
Common Permissions
Common permission Real permissions
Read
Read dataRead attributesRead extended attributesRead permissions (Read control)List folder
ModifyRead + WriteDelete (not Delete subfolders)
Full ControlModifyChange permissions (Write DAC)Take ownership
NTFS Permissions
Dynamic Access Control (DAC)
NTFS Inheritance
Newly created folders and files inherit from parent by default
Explicit permissions can be granted in addition
Inheritance can be blocked
NTFS Copying vs. Moving
note: moving of a file/folder keeps inherited permissions although they may not be inherited from the new parent (displayed also in gray)
Single Volume Between Volumes
Move keepskeeps inherited!
inherits new
Copy inherits new inherits new
Lab: Common Documents
Log on to server GPS-DATA
Create F:\FS folder permissions
inheritance: disable (remove all)
Allow, Administrators, Full Control, All objects
Create F:\FS\Doc permissions
inheritance: inheriting from parent Allow, Employees, Read&Ex+CreateFolders, This folder only
Allow, Employees, Modify, Subfolders and files only
Allow, BIKES\Bikers, Read&Execute, All objects
Lab: User Home Folders
Log on to server GPS-DATA
Create F:\FS\Homes
permissions
inheritance: inheriting from parent Allow, Employees, Read&Execute, This folder only
Allow, Employees, Create folders, This folder only
Allow, Domain Computers, Read&Execute, This folder only
Roaming Profiles GPOs
Default Volume Permissions
SYSTEM, full control
to be able to create page file
Administrators, full control
Users, read and execute
Users, create subfolders
CREATOR OWNER, full control
users can create subfolders, in them, they can do anything
Lab: Default Volume Root and Profile Permissions
Log on to server GPS-DATA
Verify C:\ root folder permissions
Log on to GPS-WKS as GPS\Kamil
Verify C:\Users\Jitka folder permissions
Lab: Inherited Deny Can be Overridden
Log on to server GPS-DATA
Create a new file F:\FS\Doc\people.txt
Add the following ACE onto the F:\FS\Doc folder Deny, Kamil, Delete
Open properties of the file F:\FS\Doc\people.txt and add the following ACE onto the file Allow, Kamil, Full control
Navigate into the Advanced Security properitesand verify that the Allow ACE is higher in the list than the inherited Deny ACE
Tools for NTFS Permissions
CACLS limited, built into Windows XP
XCACLS limited, built into Windows Resource Kit
ICACLS full functionality, Windows Vista/2008+
PowerShell Get-Acl, Set-Acl
ROBOCOPY /COPYALL
AccessEnum
NTFS auditing subcategories
AuditingDELETE(openonly)
Auditing DELETE (another open)
Auditing DELETE (final delete)
Note: Permissions and size metering
Incorrect folder sizes as a result of inaccessible sub-items
Note: Alternative NTFS streams
ECHO ahoj > test.txt:SevecekHiddenData
MORE < test.txt:SevecekHiddenData
Summary Informtation on Windows XP/2003 only
.URL link favicon
.EXE files downloaded from internet/network
DIR /R (since 8/2012)
REGISTRY PERMISSIONS
Advanced Windows Security
Registry Permissions
Mainly like NTFS permissions
Applies permissions to keys only
values cannot be secured
Registry Permissions
User Profile Permissions
User Profiles and Registry
User profiles
C:\Documents and Settings\%username%
C:\Users\%username%
User registry hive
%USERPROFILE%\NTUSER.DAT
Copying profiles
use System – Advanced – User Profiles tool for Default User
USMT!!!
Lab: Copying User Profiles
Log on to GPS-DC and start ADUC
Create a new user account name: Klara
options: Password never expires
Log on to GPS-WKS as Kamil start control panel System – Advanced – User Profiles
copy Judit’s profile to C:\Users\Klara and prepare it for Klara
Start REGEDIT – File – Load Hive and load C:\Users\Klara\NTUSER.DAT hive into HKLM\Klara
Verify registry permissions on the user’s registry hive
LDAP PERMISSIONS
Advanced Windows Security
Active Directory Permissions
Enable Security tab in ADUC – View –Advanced Features
Inheritance same as with NTFS
Some other differences against NTFS
moving objects
newly created objects
SELF identity
Default Security Descriptor
Newly created objects
inherit from parent (the same as with NTFS)
receive explicit ACEs from Default Security Descriptor
Default Security Descriptor
defined in AD Schema
modified occasionally by schema extensions
Lab: Default Security Descriptor
Log on to GPS-DC and start ADUC
Open Properties of Kamil user account
Open Security – Advanced and verify that it contains number of non-inherited ACEs
Run REGSVR32 SCHMMGMT.DLL
Run MMC and import Active Directory Schema snap-in
Find user class and open its properties
Verify the Default Security is in order with the previously seen Kamil’s ACEs
Lab: Join computer permissions
$ou = 'OU=Workstations,OU=Computers,OU=Company,DC=gopas,DC=virtual'
$who = 'GPS\WKS Admins'
dsacls $ou /T /S
dsacls $ou /Grant "$($who):CC;computer"
dsacls $ou /I:S /Grant "$($who):CA;Reset Password;computer"
dsacls $ou /I:S /Grant "$($who):RPWP;pwdLastSet;computer"
dsacls $ou /I:S /Grant "$($who):RPWP;servicePrincipalName;computer"
dsacls $ou /I:S /Grant "$($who):RPWP;dNSHostName;computer"
dsacls $ou /I:S /Grant "$($who):RPWP;msDS-
AdditionalDnsHostName;computer"
dsacls $ou /I:S /Grant "$($who):RPWP;Account Restrictions;computer“
# really needed on top of userAccountControl in order to
disable the account when dis-joining the domain
dsacls $ou /I:S /Grant "$($who):RPWP;member;group"
NETDOM JOIN scriptmust use Kerberos UPN @gopas.virtualbecause of Protected Users group
Lab: Move computer permissions
$ouSrc = 'OU=Computers,OU=Company,DC=gopas,DC=virtual'
$ouTgt = 'OU=Workstations,OU=Company,DC=gopas,DC=virtual'
$who = 'GPS\WKS Admins'
# on the target OU
dsacls $ouTgt /Grant "$($who):CC;computer"
# on the objects in the source OU
dsacls $ouSrc /I:S /Grant "$($who):SD;;computer"
dsacls $ouSrc /I:S /Grant "$($who):WP;distinguishedName;computer"
dsacls $ouSrc /I:S /Grant "$($who):WP;name;computer"
dsacls $ouSrc /I:S /Grant "$($who):WP;cn;computer"
Inheritance and Moving Objects
Contrary to NTFS, inherited permissions are lost after move
Moved objects inherit new permissions from their target parent
Tools for LDAP Permissions
DSACLS
very recommended to use instead of GUI
Delegation of Control Wizard
can be modified in order to add new permission templates
LDAP Auditing
Directory Services Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
Directory Service Access
DS Changes auditing records individual attribute values before and after the change
AD Console Custom Views
Lab: LDAP Permissions
Start CMD on GPS-DC a domain-admin
Grant Kamil permissions to modify users mail address in the People OU
dsacls ou=people,ou=company,dc=gopas,dc=virtual /I:S /G “gps\kamil:RPWP;mail;user”
Start MMC on GPS-WKS and add and customize Active Directory Users and Computers console
Verify that Kamil can modify only user’s email address
FILE SHARING
Advanced Windows Security
File Sharing
SMB – Server Message Block protocol sometimes refered to as CIFS (Common Internet File
System) TCP 445, or NetBIOS for backward compatibility with
NT4.0/98-
SMB versions v1 - uninstall since 2012 (required only by XP/2003-) v2 - since Vista/2008 v3 - since 2012/8
Its own level of permissions by default Read only not usually used – Everyone = Full Control
used in the past with FAT or on Terminal Servers
Sharing Permissions
Sharing Permissions
Read
Change
write, delete, create folders, ...
Full Control
change permissions
This is the only method how to prevent OWNER from gaining full control to his own files
Disk
Flow of Access Control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
TCP 445Kerberos
NTLM
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sh
arin
g P
erm
issi
on
s
Flow of Access Control
User estabilishes TCP 445 connection
Server requires authentication Kerberos or fallback to NTLM
user identity established
Server builds Access Token for the user
Server checks the Access this computer from network right
Permissions on the Share get checked
Permissions on the NTFS get checked
Lab: Sharing Doc and Homes
Log on to server GPS-DATA
Share the C:\FS\Doc folder as Documents
permissions: Everyone = Change
permissions: Administrators = Full Control
Share the C:\FS\Homes folder as Homes$
permissions: Everyone = Full Control
permissions: Administrators = Full Control
NET USE
NET USE \\gps-data /user:gps\kamil P$$wd
just provide credentials, no mapping
NET USE \\10.10.0.21 /user:gps\jitka P$$wd
the same server, but different credentials for different "name"
\\gps-data, \\gps-data.gopas.virtual, \\10.10.0.21 are all different "names"
NET USE \\gps-data /delete
Cleartext Passwords to NAS
Administrative Shares
Disable Admin Shares?
Should? why should admins connect to admin shares? malware can easily propagate to system folders malware can replace system and application files
Should not? antivirus client installation system center agents
How HKLM\System\CurrentControlSet\Services\LanManServer\Param
eters AutoShareServer = DWORD = 0
HKLM\System\CurrentControlSet\Services\LanManWorkstation\Parameters AutoShareWks = DWORD = 0
Admin/hidden shares are public
File Share Auditing
Either Object Access on NTFS
Or File Share subcategory of Object Access
AUDITPOL /set /subcategory:”File Share” /success:enable /failure:enable
File Share Auditing
Lab: File Share Auditing
Log on to GPS-DC and start GPMC
Create a new GPO to enable File Share auditing name: Security: File Share Auditing linked to: gopas.virtual enforced: yes
Use the Computer – Windows Settings – Security Settings –Advanced Audit Policy Configuration – Object Access File Share – success enable, failure enable
Log on to server GPS-DATA
Update group policy with GPUPDATE
Test share access from GPS-WKS as Kamil
On server GPS-DATA start Event Viewer and lookup the File Share audit entries in the Security log
Access Based Enumeration
Selective authentication over trusts
Must assign Allowed to authenticate permission on target accounts
Lab: Selective Trusts
On GPS-DC switch the forest trust with BIKES domain to use Selective Authentication
Log on to BIKES-DC and try accessing \\GPS-DATA\Doc folder under BIKES\Tana credentials
On GPS-DC open properties of the GPS-DATA computer object and switch to Security tab
Grant BIKES\bikes-admin permission to Allowed to Authenticate on the GPS-DATA computer object
Verify the \\GPS-DATA\Doc access
Allowed to Authenticate?
Disk
Flow of Access Control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Kerberos
NTLM
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sh
arin
g P
erm
issi
on
s
Allo
wed
to A
uth
enti
cate
?
TCP 445
Anonymous list of shares
Anonymous list of shares
+ Do not allow anonymous enumeration of shares: Disabled
+ Let everyone permissions apply to anonymous users: Enabled
+ Remotely accessible named pipes: SRVSVC
Anonymous list of shares
Disable SMBv1
2000/XP/2003
SMBv1
disabled by default on Windows 10.1803+, Windows 2019+
Vista/2008/7/2008R2
SMBv2
8/8.1/2012/2012R2/10/2016
SMBv3+ (+encryption)
DISK QUOTAS
Advanced Windows Security
Volume Based Disk Quotas
Available since NT4.0 SP5+
Properties of individual volumes
Quota usage determined by object owner
SYSTEM, Network Service, ...
Administrators
individual users
Limited per volume per owner
File Server Resource Manager
Per folder quotas
Available with Windows Server 2003 R2
Installable file system filter driver and Windows service
email and event notification to administrators
File Server Resource Manager
Tools for quotas
DIRQUOTA
Allowed to Authenticate?
Disk
Flow of Access Control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Folder Quotas
Volume Quotas
Kerberos
NTLM
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Path
Owner
Access Token
Sh
arin
g P
erm
issi
on
s
Allo
wed
to A
uth
enti
cate
?
TCP 445
WINDOWS FIREWALL
Advanced Windows Security
VersionsWinodws XP Windows 2003 Windows
Vista/2008Windows 7/2008 R2 and newer
Default state enabled disabled enabled enabled
Direction inbound inbound inboundoutbound
inboundoutbound
Profiles DomainStandalone
DomainStandalone
DomainPrivatePublic
DomainPrivatePublic
Per NIC Profiles no no no yes
Integrated IPSec no no yes yes
Can disable MPSSVC
yes yes no no
Rule elements .EXE .EXE .EXEservice
.EXEservice
Blocking rules no no yes yes
Auditing TXT file TXT file TXT fileSecurity log
TXT fileSecurity log
Windows Firewall General Functionality
IP, ICMP, TCP, UDP, GRE, AH, ESP inspection
Allow/block Rules
IP ranges
TCP/UDP/ICMP ports and IDs
per .EXE
per Service (since Vista/2008)
IPSec protection (since Vista/2008)
Network Profiles
Domain Profile
DNS + ping DC on Windows XP/2003
download Group Policy since Windows Vista/2008
Private Profile
can be selected if default gateway is accessible (MAC address)
Public Profile
transition profile
all other networks
Private vs. Public Profiles
Minimizing incident spreading
WKSWKSWKSWKS
Wks Admins Wks Admins
SRV
SRVSRV
DC SRVSRV
DCDC
AdminGUI
Wks Admins
Kamil
Jitka
Kamil
Jitka
Minimizing incident spreading
WKSWKSWKSWKS
Wks Admins Wks Admins
SRV
SRVSRV
DC SRVSRV
DCDC
AdminGUI
Wks Admins
Kamil
Jitka
Kamil
Jitka
Minimizing incident spreading
WKSWKSWKSWKS
Wks Admins Wks Admins
SRV
SRVSRV
DC SRVSRV
DCDC
AdminGUI
Wks Admins
Minimizing incident spreading
WKSWKSWKSWKS
Wks Admins Wks Admins
SRV
MGMTSRV
DC SRVSRV
DCDC
AdminGUI
Wks Admins
svc-mgmt svc-mgmt
svc-mgmtlimited users
Example Policy (Several GPOs)
Example Policy (No Merging)
Example Policy (Combine GPOs)
Inbound Blocking
Stealth only
Inactive open ports are stealth as well
Allow local loop-back access
Outbound Block Rules
Does not let applications timeout
Immediately raises “general failure”
Firewall tools
NETSTAT -ano | FINSTR :445 locally opened and LISTENING ports
PORTQRY port scan
PING
PSPING ping + port scan
NETSH enable/disable, define rules
Disk
Flow of Access Control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Folder Quotas
Volume Quotas
Win
do
ws
Fir
ewal
l
TCP 445 Kerberos
NTLM
Path
Owner
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sh
arin
g P
erm
issi
on
s
Allo
wed
to A
uth
enti
cate
?
Lab: Firewall
Define Windows Firewall GPOs for workstations FW: Block incoming with exceptions (all)
FW: Do not merge local rules (Workstations)
FW: Inbound Ping (all)
FW: Inbound RDP (domain profile, all)
FW: Block outbound with exceptions (Workstations)
FW: Outbound DNS (Workstations)
FW: Outbound DHCP (Workstations)
FW: Outbound all to 10.10.0.0/16 (Workstations)
FW: Outbound TCP 80, 443 (Workstations)
WMI Filter: Workstations
Lab: FW for Servers
Define Windows Firewall GPOs for servers
FW: Allow/Allow
FW: Block Inbound WMI
note: do not block TCP 135
WMI Filter: Servers
Firewall Auditing
Text file since Windows XP
Security event log since Windows Vista/2008
Object Access category
Filtering Platform Connection subcategory
Filtering Platform Packet Drop subcategory
Firewall Auditing
Lab: Firewall Auditing
On GPS-WKS enable firewall auditing into Security log
On GPS-DC start CMD
Try PING GPS-WKS this should succeed
Try PORTQRY -n GPS-WKS -e 445 this should succeed
Try PORTQRY -n GPS-WKS -e 135 this should succeed
Try PORTQRY -n GPS-WKS -e 80 this should show state of FILTERED
Investigate the security event log entries on GPS-WKS
DCOM AND WINDOWS MANAGEMENT INSTRUMENTATION
Advanced Windows Security
RPC and DCOM
Server
RPC Endpoint MapperTCP 135
DCOM Application Server
TCP dynamic
Launch
ActivateApp UUID
The App is now running on port
XXXX
SVCHOST.EXE
APP.EXE / .DLL
Launch
DCOM Applications
Windows Management Instrumentation (WMI)
Active Directory Certificate Services (AD CS)
Active Directory Replication
Event Log Remote Management
Task Scheduler Remote Management
Exchange Server
WMI
Remote management
DCOM based protocol
using random TCP ports
Uses normal authentication (Kerberos) and Access this computer from network access checks
By default allowed only for Administrators remotelly
Lab: Testing Remote WMI
Log on to server GPS-DATA
Start MSINFO32
Use View – Remote Computer to connect to GPS-WFE and view the results
If the connection is not successful, enable Windows Management Instrumentation exceptions in Windows Firewall on GPS-WFE
PowerShell
gwmi Win32_Process -Computer GPS-WFE
WMI and DCOM Permissions
DCOM permissions are another layer of security before WMI permissions DCOM computer wide restrictions
DCOM permissions on the DCOM server
WMI has its own namespace permissions
Any later access depends on the actual object permissions on the managed objects
Enabling remote WMI access to non-admins http://www.sevecek.com/Lists/Posts/Post.aspx?ID
=17
DCOM Machine Permissions
DCOM Server Permissions
WMI Permissions
NTFS, processes, services
Flow of Access Control
Application Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Win
do
ws
Fir
ewal
l
TCP 135TCP random
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Mac
hin
e D
CO
M P
erm
issi
on
s
DCOM Server Permissions
Allo
wed
to A
uth
enti
cate
?
Kerberos
NTLM
OTHER PERMISSION SETTINGS
Advanced Windows Security
Printer Permissions
Remote Desktop Permissions
Certification Authority Permissions
Process Permissions
Services and SDDL
SERVICE ACCOUNTS AND IMPERSONATION
Advanced Windows Security
Service Accounts
Services and IIS Application Pools run under some service identity
NT AUTHORITY\System
NT AUTHORITY\Network Service
NT AUTHORITY\Local Service
NT SERVICE\*
IIS APPPOOL\*
<domain>\*
Network Service vs. Local Service
DNS Client must register DNS name
NT AUTHORITY\Network Service
dynamic dns update requires Kerberos authentication
DHCP Client although is a networking service, does not require any authentication
NT AUTHORITY\Local Service
Lab: Network Service vs. Local Service
Log on to GPS-WKS as wks-admin
Using PSEXEC start command line under:
PSEXEC -S -I -D cmd
PSEXEC -U "NT Authority\Network Service" -I -D cmd
PSEXEC -U "NT Authority\Local Service" -I -D cmd
Try the following access
dir \\gps-dc\SYSVOL
Local administrator can obtain service passwords
NT SERVICE
NT SERVICE "domain"
sc qsidtype
IIS_IUSRS
IIS_IUSRS
IIS APPPOOL
Impersonation
Services usually access local resources under the remote user’s identity instead of their own
Only to network they go under their own identity
Impersonation
Service orIIS App Pool
GPS\svc-user
Local ResourcesNTFS, DCOM, Registry
GPS\kamil
Net
wo
rk R
eso
urc
esS
QL
, SM
B, L
DA
PDelegation (double-hop)
Service orIIS App Pool
Local ResourcesNTFS, DCOM, Registry
GPS\kamil
Net
wo
rk R
eso
urc
esS
QL
, SM
B, L
DA
P
GPS\kamil
Lab: Preparations for Impersonation
Log on to GPS-WFE as srv-admin
Create folder C:\WEB\IS
Copy contents from D:\Sevecek\IISTesty\ASP into the C:\WEB\IS
Install IIS Web Server
include all role services except for FTP and Hostable Server Core
Open IIS console and delete Default Web Site and all Application Pools
Lab: Impersonation
Open IIS console
Create new Application Pool name: ISAppPool identity: Network Service
Create new Web Site name: IS app pool: ISAppPool path: C:\WEB\IS
Change IS authentication method to Basic you must also disable Anonymous authentication
Test http://gps-wfe/username.asp from GPS-WKS log on as GPS\Kamil
On GPS-WFE verify that W3WP.EXE is running under Network Service
Lab: Permissions and Impersonation On GPS-WFE change permissions of the C:\WEB\IS folder
Network Service – Read Administrators – Full Control
From GPS-WKS verify that Kamil cannot access the http://gps-wfe/username.asp
From GPS-WKS verify that srv-admin can access the web page
On GPS-WFE start Process Monitor and monitor access attempt verify, that W3SVC, while impersonating Kamil, receives ACCESS
DENIED on the username.asp file
Solve the problem
IsolationDomain Account Network
PasswordGroups Local
IsolationNetwork Isolation
Kerberos PAC Validation
NT AUTHORITY SYSTEM automatic30 days
Administrators no MACHINE$ no
NT AUTHORITY Network Service automatic30 days
Users no MACHINE$ no
NT AUTHORITY Local Service no Users no anonymous no
NT SERVICE <serviceName> automatic30 days
Users yes MACHINE$ no
IIS APPPOOL <appPoolName> automatic30 days
Users yes MACHINE$ no
<domain> <userName> manual Users yes yes yes
<domain> <managedSvcAccount> automatic30 days
Users yes yes no
<domain> <groupSvcAccount> automatic30 days
Users yes yes no
Group managed AD account
Computer password change
Lab: Domain Account for IIS
On GPS-DC create new service account for IIS
OU: Service
name: svc-iis-isapppool
membership: Domain Users, Service Accounts
On GPS-WFE switch the identity of ISAppPool to GPS\svc-iis-isapppool
Verify HTTP connection and resolve all relevant issues
Obtain password with
AppPool passwords
C:\Windows\System32\InetSrv
APPCMD.exe LIST APPPOOL MyPool /text:*
Task scheduler passwords
Lab: Investigating SQL Server
Install SQL Server 2012 on GPS-DATA
install: Database Engine, Management Tools
use default values
sysadmins: GPS\SRV Admins
SQL Server Examples
SQL Server Examples
Lab: SQL Server
On GPS-DC create a new service account for the SQL Server instance OU: Service name: svc-sql-isdata membership: Domain Users, Service Accounts
On GPS-DATA open the SQL Server Configuration Utility console
Change the SQL Server service account to the GPS\svc-sql-isdata
Verify the changes in the Services console and on the file system
On GPS-DC verify that the GPS\svc-sql-isdata does not have servicePrincipalName attribute
Enable GPS\svc-sql-isdata to update its own servicePrincipalNameattribute DSACLS CN=svc-sql-isdata,OU=Service,OU=Company,DC=gopas,DC=virtual /G
“SELF:RPWP;servicePrincipalName”
Restart the SQL Server instance and verify the servicePrincipalNameattribute has been populated with two Kerberos SPNs
SQL Server Network Communications
SQL Server
SQL Browser ServiceUDP 1434
SQL Server Instance Service
TCP dynamic
Query Instance List
SQLSERV.EXE
Instance Listening on TCP XXX
Anonymous
Kerberos/NTLM
Lab: Firewall Exceptions for SQL Server On GPS-DC tighten the firewall configuration for
servers Remove GPO - FW: Allow/Allow Apply WMI Filter – Workstations and Servers – FW: Block
incoming with exceptions (all)
Update Group Policy on GPS-DATA GPUPDATE
On GPS-DATA define two firewall exceptions for SQL Browser and for the ISDATA SQL Server instance
Verify connectivity from GPS-WKS PORTQRY -n gps-data -e 1434 -p UDP PORTQRY -n gps-data -e ???
PHYSICAL SECURITY
Advanced Windows Security
Physical Security
If you have a physical access to a machine or data storage, you have full access
Nothing can prevent you from obtaining Administrators access
How to make something physically secure?
physical security
encryption
Attacks on Physical Security
Boot malware UEFI Secure Boot
requires GPT disks + EFI system partition
Hardware keyloggers Hidden cammeras Offline OS modifications
reset accounts replace system code change configuration install software keyloggers
Data theft
UEFI Secure Boot (msinfo32)
Lab: Hacking into Windows
Log on to server GPS-DATA
Insert Windows 2008 R2 installation .ISO into DVD drive
Restart into the Setup
Press Shift-F10
CD windows\system32
COPY cmd.exe utilman.exe
Restart to the normal operating system and play with the Ease of Access dsa.msc, compmgmt.msc, iexplore, regedit, notepad
BITLOCKER
Advanced Windows Security
Full Volume Encryption (FVE) aka Bitlocker
BitLocker can encrypt whole partitions whole partition together with boot sector
AES 128, AES 192, AES 256
Require “password” before boot
Protects against theft
offline modification of operating system settings and/or data
Does not protect among different users use permissions
Requirements
Requires an unencrypted volume to boot from 100 MB on Windows 2008/Vista
150 MB on Windows 2008 R2/7 – created automatically during installation
350 MB on Windows 8/2012
500 MB on Windows 10/2016
May encrypt system volume (2008/Vista)
May encrypt data and removable volumes (2008 R2/7+)
“Password” Options
48 cipher “recovery password” Free-typed “Password”
since 2008 R2/7
USB “startup key” (.BEK) optional PIN
smart card with a certificate (data volumes only) mandatory PIN
TPM v1.2 Trusted Platform (Policy) Module built-in on motherboard optional PIN
Trusted Platform Module
Do not require any user interaction during boot
Supplies password automatically if
no changes to BIOS/CMOS
no changes to boot order
no changes to master boot and boot records
no changes to boot loader
Allow BitLocker without TPM
PIN length
Enabling BitLocker
Recovery Options
Backup recovery password to AD
if the disk is ok but we have lost the password
Backup recovery blobs to AD
if the disk is corrupted and the password does not work
BitLocker AD Backup
BitLocker AD Backup
BitLocker Recovery Password Viewer on Windows 2012+
BitLocker AD Backup
Recovery password
valid decryption metadata must be available on volume (3 same backup locations)
Key package
self-sufficient for recovery of raw data
Lab: BitLocker
On GPS-DC create new GPO BitLocker Enable backup of BitLocker key into AD Enable BitLocker without TPM
On GPS-Data attach virtual floppy .VFD disk
On GPS-Data enable BitLocker manage-bde -on c: -recoverypassword -startupkey a:\
On GPS-DC verify that the recovery kay has been backed-up into AD
Restart GPS-Data and verify that BitLocker is encrypting the volume
Eject the .VFD virtual floppy
Restart GPS-Data to observe manual key prompt
Turn off BitLocker on GPS-Data manage-bde -off c:
ANTIMALWARE
Advanced Windows Security
Windows Defender
Windows 7+, Windows 2016+
Updates by using Windows Update service always directly from internet + WSUS +SMB +MMPC
ignores Windows Update settings – must disable WUAUSERV
WINDOWS UPDATE FOR SERVERS
Advanced Windows Security
Updating servers
Do not try to postpone restart
Control install times and restart immediately
GPO or registry HKLM\Software\Policies\Microsoft\WindowsUpdate\AU
AUOptions = DWORD
AutoInstallMinorUpdates = DWORD
NoAutoRebootWithLoggedOnUsers = DWORD
...
Manual install + restart
Automatic Updates detection frequency
7 hours
Turn on recommended updates via Automatic Updates
ENABLED
Configure Automatic Updates
3 - Auto download and notify for install
Install updates for other Microsoft products = ENABLED
Allow Automatic Updates immediate installation
DISABLED
Reschedule Automatic Updates scheduled installations
DISABLED
Allow non-administrators to receive update notifications
DISABLED
No auto-restart with logged on users for scheduled automatic updates installations
DISABLED
Delay Restart for scheduled installations
5 min
Always automatically restart at the scheduled time
15 min
Automatic install + restart
Automatic Updates detection frequency
7 hours
Turn on recommended updates via Automatic Updates
ENABLED
Configure Automatic Updates
4 - Auto download and schedule the install
Saturday 03:00
Install updates for other Microsoft products = ENABLED
Allow Automatic Updates immediate installation
DISABLED
Reschedule Automatic Updates scheduled installations
DISABLED
Allow non-administrators to receive update notifications
DISABLED
No auto-restart with logged on users for scheduled automatic updates installations
DISABLED
Delay Restart for scheduled installations
5 min
Always automatically restart at the scheduled time
15 min
Lab: Windows Update for Servers
Apply GPO for SERVERs only using anappropriate WMI filter
Mgmt: Windows Update - ??? + Restart
DYNAMIC ACCESS CONTROL
Advanced Windows Security
Evolution
Access Control Lists (ACEs) and NTFS
File Server Resource Manager (FSRM) and simple file classification
Active Directory (AD) integrated classification and NTFS rules with term conditions
Automatic file classification with FSRM
Kerberos Claims and user attributes
Kerberos CompoundId and computer attributes
Central AD defined NTFS access rules and their enforcement with FSRM
EvolutionFeature Server Client Schema 2012 / DFL /
FFL
And logic ACL Windows 2012 - -
FSRM automatic classification
Windows 2012FSRM
- -
AD integrated classification terms
Windows 2012FSRM
- schema 2012FFL 2003
AD integrated NTFS access rules
Windows 2012FSRM
- schema 2012FFL 2003
User claims Windows 2012 - one Windows 2012 DC
Computer claims Windows 2012 Windows 8Windows 2012
local Windows 2012 DC
Claims, Terms, Classifications, Metadata
They are just the same thing
ACCESS CONTROL LISTS
What is New in Security in Windows 2012
Until Windows 2012
Sorted in order
DENY is not always stronger
Has OR logic
shadow groups
combined "AND" groups
Group Limits
Access Token
1024 SIDs
Kerberos ticket
12 kB by default
global group = 8 B
domain local group / foreign universal groups = 40B
260 max
Disk
Classic flow of access control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Folder Quotas
Volume Quotas
Win
do
ws
Fir
ewal
l
TCP 445 Kerberos
NTLM
Path
Owner
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sh
arin
g P
erm
issi
on
s
Allo
wed
to A
uth
enti
cate
?
New in Windows 2012
AND logic possible
Extendable with claims
FSRM file claims
user claims
device (computer) claims
Requires domain membership
Windows 8, Windows 2012
Disk
New flow of access control
NTFS Permissions
Acc
ess
this
Co
mp
ute
rfr
om
Net
wo
rk
Authentication
Folder Quotas
Volume Quotas
Win
do
ws
Fir
ewal
l
TCP 445 Kerberos
NTLM
Path
Owner
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sh
arin
g P
erm
issi
on
s
Allo
wed
to A
uth
enti
cate
?Condition ACEs
FILE CLASSIFICATION
What is New in Security in Windows 2012
File Server Resource Manager (FSRM)
Manual File Classification
Automatic File Classification
file name wildcard
folder path
words and/or regular expressions
PowerShell code
Locally vs. AD defined terms
Adds file metadata
alternative NTFS streams
File claims and ACL
File claims can be used in the new ACE conditions
only AD based file terms
AD defined file claims
Requires Windows 2012 schema extension
Requires Windows 2003 forest functional level
do not require any Windows 2012 DC
some editor like ADSI Edit or Windows 2012 ADAC
Must be uploaded to FSRM servers manually
KERBEROS CLAIMS
What is New in Security in Windows 2012
Kerberos ticket until Windows 2012 KDC
User identity
login
SID
Additional SIDs
groups
SID history
Good old Kerberos
ClientXP
DC2003
Server
TGT
Good old Kerberos
ClientXP
DC2003
Server
TGT
TGS
TGS
SIDs
SIDs
What is new in Kerberos tickets with Windows 2012 KDC
User identity
login
SID
Additional SIDs
groups
SID history
User claims
AD attributes in Kerberos TGT tickets
Requirements
At least single Windows 2012 DC (KDC)
Tickets are extendable
If client does not understand the extension, it simple ignores its contents
If server requires user claims and they are not present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)
Good old Kerberos supportsclaims as well
ClientXP
DC2003
Server2012
TGT
TGS
TGS
DC2012
ClaimsSIDs
SIDs
Brand new Kerberos with Windows 2012 KDC
ClientXP
DC2012
Server2012
TGT User Claims
Brand new Kerberos with Windows 2012 KDC
ClientXP
DC2012
Server2012
TGT
TGS
TGS
SIDs
User Claims
SIDs
User Claims
User Claims
What is new in Kerberos with DFL 2012 User identity
login SID
Additional SIDs groups SID history
User claims AD attributes in Kerberos TGT tickets
Device claims AD attributes of computers Compound ID in Kerberos TGT tickets
Kerberos Compound ID with device claims
Client8
DC2012
Server2012
TGT Request
TGT User Claims
Computer TGT
Device Claims
Brand new Kerberos with Windows 2012 KDC
Client8
DC2012
Server2012
TGT
TGS
TGS
SIDs
SIDs
User Claims
User Claims
Device Claims
User Claims
Device Claims
Device Claims
Requirements
At least local Windows 2012 DC (KDC)
better to have 2012 DFL for consistent behavior
Clients Windows 8 or Windows 2012
must ask for TGTs with Compound ID extension
Server cannot just obtain device claims because it does not know from what device the user came
CENTRAL ACCESS RULES
What is New in Security in Windows 2012
Requirements
Windows 2012 schema extension
Windows 2003 forest functional level
do not require any Windows 2012 DC
some editor like ADSI Edit or Windows 2012 ADAC
Uploaded to FS by using Group Policy